Wireless Access

Another noob issue coming at ya, lol. 

I am getting the following error when connecting to a SSID that's setup with 802.1x through a windows radius server. 

7205 Controller based wireless system

If the certificate was issued by a Certificate Authority that the client does not trust (self-signed), the client will generate that error.  For clients that are in a domain, typically you would generate the server certificate from an Enterprise CA that is part of the domain, because the clients automatically will trust that certificate.

The certificate was issues by the Domain Controller to the NPS server. 

If logged in locally the windows laptop I'm able to connect to the SSID but get that error. 

If I login to the laptop with domain credentials it doesn't allow me to even connect to the SSID, just says it couldn't connect, never asks for credentials. 

How would this work with macbooks?  Would a different type of certificate be needed in order for the message to not pop up? 

I think you should contact the person who setup the CA and inform them of what is happening so they can let you know how to fix this.

Well , the thing is that I'm the one that setup the CA on the domain controller. I'm just not very experienced with certificates and I'm trying to learn how to do all of this.  

If it is an Enterprise CA, your clients must trust all of the certificates issued by it.  If it is not, you might have to manually insert it into your domain client's trusted store via a group policy.  https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

To find out if your clients trust that certificate or the CA that issues the certificates, on the client go to Start> Run> MMC, click on add/remove snapin and install the certificates snapin.  https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in

This is not an error, it's a warning that your client doesn't know whether to trust the RADIUS certificate.

In order to make this work without this message, you either need to be in a fully AD connected environment where your Enterprise Root CA has been pushed to the client prior to connecting to the SSID and the client is part of the Active Directory.

The other option is to pre-configure your Windows clients with the Enterprise CA root, RADIUS server (certificate) name, and authentication settings. In an AD environment, you can push these settings and certificates via group policies, for non-AD systems that is where tools like ClearPass Onboard or Mobile/Enterprise Device Management (MDM/EMM) tools come in the scope.

The underlying security issue is that there is no binding between the SSID and the RADIUS server certificate. You can check this old blog post for more background.